8/28/2014. MikroTik RouterOS Training. Inter-Networking. Internetworking 1. Overview. Lab Setup. Lab Setup. Autonomous system BGP MPLS

Transcription

1 MikroTik RouterOS Training Inter-Networking Overview BGP BGP Basics (ibgp, ebgp) Distribution, filtering and BGP attributes MPLS Introduction to MPLS LDP L2 and L3 VPN's Traffic Engineering Mikrotik Lab Setup X group number Lab Setup Divide in groups by four Make network setup as illustrated in next slide and routes connect to AP with SSID in 2.4Ghz band Each router has local network xy.0/24 where: X-group number Y-Routers number AP SSID= band=2.4ghz x1.0/ /24 AP x.1/ x1/ x2/ x.2/ x.5/ x.9/ x.10/ x.6/ x2.0/ x3.0/24 Mikrotik Mikrotik x4.0/24 4 Autonomous system Border Gateway Protocol (BGP) Set of routers under a single administrative control Routing exchange: Routers within AS use common IGP Routers between ASs use EGP Has its own number (ASN) Supports 16-bit value and 32-bit value Numbers reserved for private use Mikrotik Mikrotik Internetworking 1

2 BGP Basics Path Vector Implementation Stands for Border Gateway Protocol Designed as Inter-AS routing protocol Network topology is not exchanged, only reachability information. Only protocol that can handle Internet's size networks Uses path vector algorithm Treats whole AS as a single point in the path Prefix is advertised with the list of ASs along the path called AS path Hides network topology within an AS Cannot provide loopfree routing within an AS Mikrotik Mikrotik Path Vector Implementation Reject, already in the path Add to the path /24 Add to the path Add to the path BGP Capabilities BGP Speaker advertises supported capability codes If received capability is not supported, remote peer sends back notification BGP speaker attempts to peer without unsupported capability Some of RouterOS advertised capabilities: Route refresh Multi-protocol extension 4-byte AS support Mikrotik Mikrotik BGP Transport Operates by exchanging NLRI (network layer reachability information). NLRI includes a set of BGP attributes and one or more prefixes with which those attributes are associated Uses TCP as the transport protocol (port 179) Initial full routing table exchange between peers Incremental updates after initial exchange (maintains routing table version) Mikrotik Packet format Packet contains four main fields: Marker (128bits) used for authentication Length (16bits) Type (8bits) BGP message type Message body Mikrotik Internetworking 2

3 BGP message types Four message types: Open First message sent after TCP connection establishment, contains capability list. Confirmed by keepalive. Keepalive does not contain data, sent to keep hold timer from expiring Update actual route updates. Contains: NLRI Path attributes Notification sent when error condition occurs, contains error code and sub-code Mikrotik BGP session and updates Open with ASN4 capability Notification unsupported cap. Open without capability Keepalive Route Refresh message Update Passive BGP peer Mikrotik Networks Indicates what networks BGP should originate from the router. By default network is advertised only if corresponding route is present in routing table Synchronization can be turned off if: Your AS does not provide transit service All the transit routers run BGP Disabling sync allows BGP to converge faster. Sync can be dangerous if routes are flapping a lot. Configurable from Enable BGP /routing bgp instance set default as=300 router-id= /routing bgp peer add instance=default remote-address= remote-as=3000 If router-id is not specified, it is automatically set to least IP address on the router. Verify BGP connectivity. Any state other than established indicates that routers can not become neighbors (use print status for more details) [admin@] /routing bgp peer> print Flags: X - disabled, E - established # INSTAN REMOTE-ADDRESS REMOTE-AS 0 E default /routing bgp network Mikrotik Mikrotik Single homed Stub network Scenarios Private ASN is used (>64511) ISP originates only default route Actually no need for BGP Upstream ISP advertises networks Stub network has the same policy as ISP ISP /0 Stub net /16 Global net AS /24 Mikrotik Private AS Removal Private AS cannot be leaked to public /16 Global net Available for ebgp neighbors Announce only aggregate route Use following command /routing bgp peer set <peer-name> remove-private-as=yes ISP / /24 AS /24 AS65502 AS65501 Mikrotik Internetworking 3

4 BGP Lab I Create BGP network setup as illustrated in next slide: BGP peer from and to AP BGP peer from to BGP peer from to Advertise your local network Private ASN should be removed Originate default route to private AS routers Mikrotik X group number AP SSID= band=2.4ghz BGP peer AP x2/24 AS1x x2.0/ /24 BGP Lab I x1/ x.5/ x.6/30 AS1x x.1/ x.2/ x1.0/ x.10/30 AS x3.0/24 Mikrotik x4.0/ x.9/30 AS65500 Multihomed Stub network Scenarios Private ASN is used Can be used: As main/backup link Load sharing Upstream ISP advertises networks Stub network has the same policy as ISP ISP Stub net /16 Global net AS /24 Mikrotik Non-stub Scenarios Need to obtain AS number from ISP or RIR Address range from Regional Internet Registry Routing policy independent from ISPs Can be used: As main/backup link Load sharing More advanced routing policies Global net Mikrotik BGP and connection tracking Connection tracking is unable to keep valid track of connections with multi-homed BGP. Packets related to one connection can travel through different paths Do not drop invalid connections in firewall Con-track should be turned off for better performance BGP Lab II Add to the same AS as Add to the same AS as Make BGP peer between and Set up OSPF between routers in the same AS Set OSPF to distribute connected routes Announce both local networks from AS Mikrotik Mikrotik Internetworking 4

5 X group number AP SSID= band=2.4ghz BGP peer AP x2/ x2.0/ /24 BGP Lab II x1/ x.5/ x.6/30 AS1x x1.0/24 AS1x x.1/ x.2/ x.10/ x.9/ x3.0/24 BGP Lab II /ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTAN 0 ADb / ADC / _AP 0 2 ADC / _ 0 3 ADo / ADC / local 0 5 Db / ADb / Db / ADo / Db / ADb / Db / Mikrotik x4.0/24 25 Mikrotik BGP Lab II [admin@] /ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTAN 0 ADb / ADo / ADC / _ 0 3 ADC / _ 0 4 ADo / Db / ADb / ADC / local 0 8 Db / ADb / BGP redistributes only best route. Since on best route is one received from, router does not redistribute.12/024 and.14.0/24 back to Mikrotik Interior and Exterior BGP ibgp peering between routers inside an AS ebgp peering between routers from different ASs ebgp R5 ibgp R6 ebgp AS400 Mikrotik ebgp Almost always formed between directly connected peers (AS edge routers). Multi-hop configuration is required if peers are not directly connected Adds AS to advertised prefix's path By default Next-hop is changed to self ebgp Multihop example Lo: Lo: Eth1 Eth1 Eth2 /routing bgp peer add remote-address= x remote-as=x multihop=yes \ update-source=lo Configuration requires static routes or enabled IGP so that the neighbors can reach each other. Setting ebgp to Loopback addresses can protect BGP from DOS attacks Mikrotik Mikrotik Internetworking 5

6 ibgp Next-hop is not changed by default: Uses IGP (RIP,OSPF,static) to ensure network reachability within an AS Attributes learned from ibgp are not changed to impact the path selection to reach outside network AS path is not manipulated Provides ways to control exit point from an AS Received external route from ibgp peer is not propagated to other ibgp peers: Requires full mesh between ibgp peers. Mikrotik /ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTAN 0 ADb / ADb / ADC / ether1 0 3 ADC / ether2 0 4 ADC / dummy 0 5 Db / ADb / ADb / Db / ADb / Db dst-address= /24 gateway= gateway-status= unreachable distance=200 scope=40 target-scope=30 bgp-as-path="112" bgp-local-pref=100 bgp-origin=igp received-from=peer2 9 ADb dst-address= /24 gateway= gateway-status= reachable ether1 distance=20 scope=40 target-scope=10 bgp-as-path="100,112" bgp-origin=igp received-from=peer1 Mikrotik Loopback Eliminates dependency from physical interface to make TCP connection. Mostly used between ibgp peers In RouterOS empty bridge can be used as loopback Lo: Lo: Eth1 Eth1 Eth2 BGP Lab III Improve your setup by using loopback addresses between ibgp peers x.y/32, where x group number y router's number Add loopback address to OSPF networks Set loopback address as ospf and bgp router-id /interface bridge add name=lo /ip address add address= x/32 interface=lo /routing bgp peer add remote-peer= x remote-as=100 update-source=lo Mikrotik Mikrotik Route Distribution IGP (Static, OSPF, RIP, connected) routes can be redistributed /routing bgp instance set default redistribute-static=yes set default redistribute-ospf=yes Prefix origin is incomplete Risk of advertising all IGP routes Always use routing filters to avoid unwanted route advertisements Mikrotik Distribution Example /24 /ip route add dst-address= /24 type=unreachable /routing bgp instance set default redistribute-static=yes Packets will be ceased unless more specific route is present Good way to advertise supernet Mikrotik Internetworking 6

7 Routing Filters Main tool to control and modify routing information Organized in chains similar to firewall Specify in BGP peer's configuration which chains to use or BGP instance out filter Prefix passes instance chain, then moves to peer's chain /routing bgp peer set 0 in-filter=bgp-in out-filter=bgp-out /routing filter add chain=bgp-out prefix= /24 \ action=discard invert-match=yes Filter Chain example /routing bgp instance set default out-filter=bgp-o /routing bgp peer set peer1 out-filter=bgp-peer-o /routing filter add chain=bgp-o prefix= /24 action=accept \ set-bgp-communities=30:30 add chain=bgp-o action=discard add chain=bgp-peer-o prefix= /24 action=passthrough \ set-out-nexthop= ADb dst-address= /32 gateway= gateway-status= reachable ether2 distance=20 scope=40 target-scope=10 bgp-as-path="112" bgp-origin=igp bgp-communities=30:30 received-from=peer2 Mikrotik Mikrotik AS400 Prefix filtering # config on /routing bgp peer set peer1 out-filter=bgp-out /routing filter add prefix= /16 prefix-length=16-32 \ chain=bgp-out action=discard / /24 Mikrotik AS Path filtering Can be configured to allow updates only to/from certain AS Supports regular expressions. - any single character ^ - start of the as-path $ - end of the as-path _ - matches comma, space, start and end of as-path # config on /routing filter add chain=bgp-out action=discard \ bgp-as-path=_200_ Mikrotik BGP Soft Reconfiguration When action=discard is used, routes are not updated after filter change. Solution Use action=reject to keep routes in the memory Dynamic (Peer must support refresh capability): Peer refreshes the routes after the changes are done. No additional memory is used It is not done automatically - need to run refresh command Mikrotik BGP Lab IV Set up routing filters in the way that: does not receive x2.0/24 prefix via AP does not receive x1.0/24 prefix via AP does not receive x4.0/24 prefix from does not receive x3.0/24 prefix from Mikrotik Internetworking 7

8 BGP Lab IV BGP decision algorithm Lets look at. If set up properly traceroutes to network x2 should go over and traceroutes to x4 should go over AP /ip address> /tool traceroute \ src-address= # ADDRESS RT1 RT2 RT3 STATUS ms 4ms 4ms ms 4ms 4ms [admin@] /ip address> /tool traceroute \ src-address= # ADDRESS RT1 RT2 RT3 STATUS ms 2ms 2ms ms 4ms 4ms ms 6ms 6ms Mikrotik BGP uses single best path to reach the destination BGP always propagates the best path to the neighbors Different prefix attributes are used to determine best path, like weight, next-hop, as-path, localpref etc. Setting peer to loopback address can force BGP to install ECMP route (for load balancing). Mikrotik Best path selection Next-hop validation Highest WEIGHT (default 0) Highest LOCAL-PREF (default 100) Shortest AS-PATH Locally originated path (aggregate, BGP network) Lowest origin type (IGP,EGP,Incomplete) Lowest MED (default 0) Prefer ebgp over ibgp Prefer the route with lowest router ID or ORIGINATOR_ID Shortest route reflection cluster (default 0) Nexthop IP address that is used to reach a certain destination For ebgp nexthop is neighbor's IP address ebgp advertised nexthop is carried into ibgp. Dst: /24 next-hop: Dst: / next-hop: / Prefer the path that comes Mikrotik from 2012 the lowest neighbor address 45 Mikrotik Nexthop self Force BGP to use specific IP as a nexthop # config on /routing bgp peer set peer1 nexthop-choice=force-self Weight Weight is assigned locally to the router Prefix without assigned weight have default value of 0 Route with higher weight is preferred Dst: /24 next-hop: / Dst: /24 next-hop: /24 Weight= /24 Weight=50 Mikrotik Mikrotik Internetworking 8

9 Local Preference Indicates which path has preference to exit AS Path with higher Local Pref is preferred (default: 100) Advertised within AS /24 R5 AS Path List of AS numbers that an update has traversed /24 AS400 AS-path:200,100 AS-path:100 Local-pref = 200 Local-pref = 100 AS-path: 300,200,100 Mikrotik Mikrotik AS-Path Prepend AS-Path manipulations can be used to influence best path selection on upstream routers /24 AS-Path: 100,300, /24 AS-Path: 200,300 Origin Information of route origin: IGP interior or originating AS route. EGP route learned via Exterior Gateway protocol Incomplete origin is unknown, occurs when route is redistributed into BGP. Prepend = /24 Mikrotik Mikrotik MED MED Example Multi Exit Discriminator or Metric hint to external neighbor about path preference into an AS Lower metric is preferred (Default: 0) Med=10 Med=50 Med=0 Exchanged between AS and used to make decision inside that AS, not passed to third AS. Ignored if received from different ASs Med=100, and advertises the same network to with different med values. only compares MEDs coming from and, MED coming from is ignored (other attributes are used to select best path). Mikrotik Mikrotik Internetworking 9

10 X group number AP SSID= band=2.4ghz BGP Lab V x1.0/24 AP x1.0/ x3.0/24 AS1x x2.0/ x3.0/ x4.0/24 AS1x x2.0/ x4.0/24 Use as-path prepend to set up BGP fail-over and load sharing as illustrated Mikrotik Community Attribute that groups destinations Filters can be easily applied to whole group Default groups: No-export do not advertise to ebgp peer No-advertise do not advertise to any peer Internet advertise to Internet community Local-as do not send outside local AS (in nonconfederation network the same as no-export) Mikrotik Community Example Assume that you don't want to propagate routes learned from /24 # config on /routing filter add chain=bgp-out action=passthrough \ set-bgp-communities=no-export Community cont. 32-bit value written in format xx:yy Gives customer more policy control Simplifies upstream configuration Can be used by ISPs for: AS prepending options Geographic restrictions Blackholing, etc. Check Internet Routing Registry (IRR) Mikrotik Mikrotik Community Example cont. AS 100 defined public communities 100:500 advertise to all peers 100:501 advertise to AS 400 Community Example cont. # router config /routing bgp peer set to out-filter=bgp-out-as100 /routing filter add prefix= /24 action=accept\ chain=bgp-out-as100 set-bgp-communities=100:500 add prefix= /24 action=accept\ chain=bgp-out-as100 set-bgp-communities=100: /24 community=100: /24 community=100:501 ISP AS 400 AS 500 # router config /routing bgp peer set toas500 out-filter=bgp-out-as500 /routing filter add bgp-communities=100:501 action=discard\ chain=bgp-out-as500 Mikrotik Mikrotik Internetworking 10

11 ISP example aut-num: AS2588 as-name: LatnetServiss-AS descr: LATNET ISP member-of: AS-LATVIA remarks: remarks: remarks: x=0 Announce as is remarks: x=1 Prepend +1 remarks: x=2 Prepend +2 remarks: x=3 Prepend +3 remarks: x=4 Prepend +4 remarks: x=5 Prepend +5 remarks: remarks: 2588:400 Latvian Nets remarks: 2588:500 Announce to LIX (Latvian Internet Exchange) remarks: 2588:666 Don't announce (blackhole) remarks: 2588:70x Announce to uplinks with $x prepend remarks: 2588:900 Recieved from LIX (Latvian Internet Exchange) remarks: remarks: For more information please use the address remarks: iproute (at) latnet (dot) lv remarks: Extended Communities Used to carry additional fields in L2VPN and VPNv4 setups Some additional fields carried: Route Targets Site of Origin Control flags MTU Encapsulation flags Mikrotik Mikrotik Aggregation Summarization of more specific routes into supernet. Can be used to hide topology. Works only on the same instance BGP routes AS / / /24 BGP Route Reflector Re-advertises ibgp routes to avoid full mesh Reduces communication message count Minimizes amount of data per message: Only best path is reflected # config on /routing bgp aggregate add instance=default summary-only=yes \ prefix= /8 action=passthrough inherit-attributes=no RR Mikrotik Mikrotik Route Reflector Configuration RR is configured by enabling client to client reflection: /routing bgp instance set default client-to-client-reflection=yes /routing bgp peer add route-reflect=yes remote-peer=x.x.x.x... Route-reflect should be enabled only on route reflector router RouterOS can not be configured as pure route reflector BGP Confederation Divides AS into multiple ASs To outside world confederation appears as single AS Each AS must be fully meshed ibgp (or route reflectors) EBGP between confederation ASs exchange routing like ibgp AS-Path inside confederation is in scopes: as-path=(30,20) # confederation setup /routing bgp instance set default confederation=100 \ confederation-peers=20,30 Mikrotik Mikrotik Internetworking 11

12 R8 BGP Confederation AS-Path: 100,300 AS20 AS-Path:(20,30) R9 Lab VI: Confederation X group number AP SSID= band=2.4ghz AP Confederation AS xx00 AS1x x1.0/ x3.0/24 AS400 AS10 R5 AS30 R6 AS1x2 R x2.0/24 Mikrotik Mikrotik x4.0/24 68 Confederation AS-Path [admin@] /ip route> print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit... 8 ADb dst-address= /24 gateway= gateway-status= recursive via distance=200 scope=40 target-scope=30 bgp-as-path="(112)" bgp-local-pref=100 bgp-origin=igp received-from=peer2 MultiProtocol BGP BGP packet format is designed for Ipv4 Address family attribute was created to carry new type of addresses. RouterOS supported address families: IPv6 L2VPN VPN4 Cisco style L2VPN Mikrotik Mikrotik BGP Instances Each BGP instance runs its own BGP selection algorithm Routes between instances are elected by other means (like distance) Routes from one instance are not redistributed automatically to another instance Needs: /routing bgp instance set <id> redistribute-other-bgp=yes BGP attributes are inherited from another instance Mikrotik Multi-protocol Label Switching (MPLS) LDP, VPNs (layer2,layer3), TE Mikrotik Internetworking 12

13 X group number MPLS Lab Setup MPLS Lab Setup AP SSID= band=2.4ghz x1.0/24 AP / x3.0/ x1/ x.1/30 Lo: x x2/ x.2/30 Lo: x.2 Lo: x x.5/ x.9/30 Reset router's configuration Set up configuration as illustrated Set up loopback addresses and run OSPF on all links Add loopback addresses to OSPF networks x.6/ x.10/ x2.0/24 Lo: x.4 Mikrotik x4.0/24 73 Mikrotik MPLS Basics Technology used to forward packets, based on short labels Initial goal: more efficient forwarding than IP routing (similar to ATM switching) Serves as foundation for some Advanced Services : Layer3 VPNs Any Transport over MPLS (AtoM), Layer2 VPNs MPLS Traffic Engineering MPLS Basics LER Label Edge Router or Provider Edge router (PE) LSR Label Switch Router or Provider router (P) Packets are classified and labeled at ingress LER LSRs forward packets using label swapping MPLS Backbone Label is removed at egress LER Guaranteed bandwidth Mikrotik services Mikrotik MPLS Basics Also called 2.5 layer protocol Shim header (32 bit) placed between OSI Layer2 and Layer3: Label (20 bits) EXP (3 bits) - CoS End of stack flag(1 bit) whether current label is the last in the stack TTL (8 bits) L2 MPLS L3 Label EXP S TTL Mikrotik MPLS Basics More than one label is allowed. Labels are grouped into label stack LSRs always use the top label of the stack Several Label distribution methods exist: Static Label mapping LDP maps unicast IP destination into label BGP external labels (VPN) RSVP,CR-LDP used for traffic engineering and resource reservation Mikrotik Internetworking 13

14 Static Label Mapping RouterOS allows to add static local and remote bindings for every destination. MPLS dynamic label range must be adjusted to free labels for static bindings. /mpls set dynamic-label-range= /mpls local-bindings /mpls remote-bindings /mpls forwarding-table Fwd: Static Label Mapping Lo: Lo: Lo: Local: DST LABEL impl-null DST HOP LABEL Remote: impl-null IN OUT DST DST LABEL impl-null DST HOP LABEL impl-null impl-null IN OUT DST DST LABEL impl-null DST HOP LABEL impl-null IN OUT DST Mikrotik Mikrotik Test with traceroute /mpls forwarding-table> print Flags: L - ldp, V - vpls, T - traffic-eng # IN-LABEL OUT-LABELS DESTINATION INTERFA NEXTHOP 0 expl-null... 4 L /32 ether [admin@] >/tool traceroute src-address= # ADDRESS RT1 RT2 RT3 STATUS ms 1ms 2ms <MPLS:L=23,E=0> ms 1ms 2ms Static Mapping LAB Create static label bindings for loopback addresses Since ECMP is not used in label binding, choose only first gateway Test if labels are set with traceroute: /tool traceroute src-address= Mikrotik Mikrotik LDP Stands for Label Distribution Protocol Relies on routing information provided by IGP creates a local label binding to each IP prefix and distributes to LDP neighbors IGP Prefix / /24 Label 21 Remote bindings /24 Label /24 Label 23 Label space Per interface label space packet is forwarded based on both the incoming interface and the label Per platform label space label is not unique per interface Label1 Path 1 Path 1 Path 2 Label1 Path 1 Path 1 Local binding Label 21 Local binding Label 22 Local binding Label 23 Mikrotik Label1 Path 2 Label1 Path 1 Mikrotik Internetworking 14

15 Distribution Modes Downstream-on-Demand (DoD) each LSR requests its next-hop label binding. (Not yet implemented) Unsolicited Downstream (UD) LSR distributes a binding all adjacent LSRs even if LSRs are requesting a label. Well known numbers LDP Hello messages UDP port 646 LDP transport session establishment TCP port 646 Hellos are sent to all routers in this subnet multicast address ( ) Mikrotik Mikrotik Configuring LDP Can be configured in /mpls ldp menu /mpls ldp set enabled=yes transport-address=x.x.x.x \ lsr-id=x.x.x.x /mpls ldp interface add interface=ether1 Setting transport address ensures proper penultimate hop popping behavior LDP Lab Remove all static mapping from previous lab Enable LDP and set lsr-id and transport address the same as loopback address Add LDP interfaces connecting neighbor routers Verify if LDP neighbors are created /mpls ldp neighbor print Check MPLS forwarding-table /mpls forwarding-table print Mikrotik Mikrotik Reserved Labels Labels from 0 to 15 are reserved, but only 4 are used at this point: 0 explicit NULL 1 router alert 2 Ipv6 explicit NULL 3 implicit NULL PHP Implicit NULL 0 PHP Explicit NULL Mikrotik Mikrotik Internetworking 15

16 Penultimate Hop Popping Router is egress point for network that is directly connected to it, next hop for traffic is not MPLS router Advertised with implicit null label Penultimate hop popping ensures that routers do not have to do unnecessary label lookup when it is known in advance that router will have to route packet Explicit NULL If configured, penultimate LSR forwards packet with NULL label, instead of popping stack. Useful to preserve QoS Not required if stack contains at least two labels (inner label can still carry QoS value) Implicit NULL is used by default Mikrotik Mikrotik MPLS Traceroute ICMP error messages are switched further along LSP It will give false increase in latency for that hop Label: 12 Label: 23 Label: 34 Targeted LDP Sessions In some cases it is necessary to set up targeted LDP session (session between not directy connected LSRs) Configuration: /mpls ldp neighbor add transport=<remote_ip> \ send-targeted=yes Targeted LDP Label: 32 Label: 43 LDP LDP LDP Mikrotik Mikrotik Label Binding Filtering Can be used to distribute only specified sets of labels to reduce resource usage Two types of binding filters: Which bindings should be advertised /mpls ldp advertise-filter Which bindings should be accepted /mpls ldp accept-filter Filters are applied only to incoming/outgoing advertisements. Any changes to filters requires /mpls ldp ldp disable/enable advertise-filter add prefix= /24 advertise=yes /mpls ldp advertise-filter add prefix= /0 advertise=no Mikrotik Label Binding LAB Set up label binding filters so that only bindings to loopback addresses from your group are sent and received. Check forwarding table to make sure filters worked Check if packets are label switched or L3 forwarded with traceroute Mikrotik Internetworking 16

17 Layer3 VPN VRF VRF Virtual Routing and Forwarding Based on policy routing Functionality of completely independent routing tables on one router. Multiple VRFs solves the problem of overlapping customer IP prefixes When nexthop resolving fails it is not resolved in main table (compared to policy routing) Mikrotik Mikrotik Route Leaking Route leaking is route exchange between separate VRFs Static Inter-VRF route: Explicitly specified routing table (works with main ) /ip route add gateway= @main routing-mark=vrf1 VRF and Router Management Any router management is not possible from vrf side (winbox, telnet, ssh...) Ping and traceroute tools are updated to support VRFs OSPF and BGP can be used as -PE protocol Explicitly specify interface /ip route add dst-address= /24 gateway= %ether2 \ routing-mark=main Mikrotik Mikrotik BGP/MPLS IP VPN L3VPN Works in Layer3 unlike BGP based VPLS. Also called L3VPN VPN A Site 1 RR Multiprotocol BGP is used to distribute routes between VRFs even in router itself. PE PE VPN B Site 2 Provider network MUST be MPLS enabled VPN B Site 1 PE VPN A Site 2 Mikrotik BGP OSPF as -PE VPN A VPN B Site 3 Site 3 Mikrotik Internetworking 17

18 Route Distinguisher Route distinguisher (RD) is used to make IPv4 prefixes unique RD+IPv4 prefix=vpnv4 prefix Format IP:num ASn:num Note: Some complex scenarios may require more than one RD by VPN Mikrotik Route Target Route Targets (RTs) were introduced for the ability to have interconnection between the sites of different companies, called extranet VPNs. Route Targets are BGP extended community to specify what vpnv4 prefixes will be imported into VRF table. Exporting RT - vpnv4 receives an additional BGP extended community Importing RT received vpnv4 route is checked for a matching RT Mikrotik VPN B Site 1 VPN A Site 2 Route Target Import: 100:3 100:2 Export: 100:1 Import: 100:2 Export: 100:4 Import: 100:1 100:4 Export: 100:2 Import: 100:1 Export: 100:3 VPN A Site 1 VPN B Site 2 Create VRF instance Configuring L3VPN /ip route vrf add routing-mark=vrf1 route-distinguisher=100:1 export-route-targets=100:1 import-route-targets=100:1 Configure BGP to use VRF and vpnv4 address family /routing bgp instance vrf add instance=default routing-mark=vrf1 \ redistribute-connected=yes /routing bgp peer add address-families=vpnv4 update-source=lo... Mikrotik Results /routing bgp vpn vpnv4-route print Mikrotik VPNV4 Lab Choose Route Reflector and set up ibgp (group AS: X00) Set up VPNV4 BGP Create VRF with interface where your laptop is connected Route Distinguisher and export RT: X00:Y Set up proper import route targets, so that only Green sites and Blue sites exchange routes (see next slide) Set up route leaking to access internet from VRF Mikrotik BGP peers X group number AP SSID= band=2.4ghz AP Lo: x.2 Green Site x2.0/24 VPNV4 Lab RR Lo: x.1 GroupAS: X00 Lo: x.4 Blue x1.0/24 Site x3.0/24 Green Site 2 Lo: x.3 Blue Site 2 Mikrotik x4.0/ Internetworking 18

19 OSPF and ebgp as -PE Distributes routes between and PE router's VRF On PE router specify which VRF to use /routing ospf instance set default routing-table=vrf1 redistribute-bgp=as-type-1 New instance to use ebgp as -PE /routing bgp instance add name=ebgp as=100 routing-table=vrf1 Layer 2 VPN LDP Based VPLS BGP Based VPLS -PE BGP AP instance PE OSPF BGP peer -PE BGP instance AP PE MPLS Cloud Mikrotik 2012 OSPF 109 Mikrotik LDP based VPLS Also called L2VPN or EoMPLS Glues together individual LANs across MPLS Uses LDP to negotiate VPLS tunnels Pseudowire demultiplexor field (PW label) is used to identify VPLS tunnel Pseudowire has MAC learning, flooding and forwarding functions Mikrotik Site 1 1 Site 2 2 LDP based VPLS PE1 PE3 L2 header SN label PW label P1 Customer's L2 frame MPLS backbone PE2 Pseudo wire Site customer's edge router PE - provider's edge router P Provider's core router Mikrotik Configuring VPLS Add VPLS tunnel termination points: /interface vpls add remote-peer=x.x.x.x vpls-id=x:x Dynamic targeted LDP neighbor is added VPLS tunnel ID must be unique for every VPLS Related VPLS tunnel information can be viewed by /interface vpls monitor command Bridge VPLS interface with local one to provide transparent connectivity Mikrotik Configuring VPLS Add VPLS tunnel termination points: /interface vpls add remote-peer=x.x.x.x vpls-id=x:x Dynamic targeted LDP neighbor is added VPLS tunnel ID must be unique for every VPLS Related VPLS tunnel information can be viewed by /interface vpls monitor command Bridge VPLS interface with local one to provide transparent connectivity Mikrotik Internetworking 19

20 Split Horizon Forward Ethernet frame coming from PE to connected s Packets are not forwarded to interfaces with the same horizon value Horizon value is set in bridge port configuration /interface bridge port add bridge=vpn interface=vpls1 horizon=1 1 2 PE1 1 1 PE LDP VPLS Lab Create VPLS tunnels between all routers from the group (VPLS ID x:x) Bridge VPLS interfaces with local interface on your router. VPN network is x0.0/24 where: x - group number Set up Split horizon to avoid loops Test connectivity between laptops in your group PE2 Mikrotik Mikrotik LDP VPLS Lab Create VPLS tunnels between all routers from the group (VPLS ID x:x) Bridge VPLS interfaces with local interface on your router. VPN network is x0.0/24 where: x - group number Set up Split horizon to avoid loops Test connectivity between laptops in your group VPLS tunnel X group number LDP VPLS Lab AP SSID= band=2.4ghz x0.1/24 Site 1 AP RR x0.3/24 VPN network: Site x0.0/24 Lo: x.1 Lo: x.2 Lo: x.3 Site x0.2/24 Lo: x.4 Site 4 Mikrotik Mikrotik x0.4/ [admin@] /mpls ldp neighbor> print Flags: X - disabled, D - dynamic, O - operational, T - sendingtargeted-hello, V - vpls # TRANSPORT LOCAL-TRANSPORT PEER SEND-TARGETED ADDRESSES 0 DOTV :0 no DOTV :0 no DOTV :0 yes [admin@] /interface vpls> monitor 0 remote-label: 40 local-label: 28 remote-status: transport: /32 transport-nexthop: imposed-labels: 22,40 LDP based VPN drawbacks Scalability issues due to static nature Requirement to maintain full mesh of LDP tunnels Configuration adjustment on all routers forming VPLS Mikrotik Mikrotik Internetworking 20

21 L2/MPLS MTU Importance MPLS MTU = IP MTU (L3) + MPLS headers L2MTU: 1500 Eth(14) IP(20) DATA(1480) MPLS MTU is adjustable from /mpls interface menu If MTU is too large and next header is IP Then generate ICMP Need Fragment error Else silently discard packet Eth(14) VLAN(4) MPLS(4) IP(20) DATA(1480) L2MTU: 1526 L2MTU: 1526 L2MTU: 1522 Eth(14) MPLS(4) VPLS(4) CW(4) Eth(14) MPLS(4) VPLS(4) CW(4) Eth(14) Eth(14) Eth(14) VPLS(4) CW(4) Eth(14) IP(20) IP(20) IP(20) DATA(1480) DATA(1480) DATA(1480) L2 MTU MPLS MTU IP (L3) MTU L2MTU: 1500 Eth(14) IP(20) DATA(1480) Full Frame Mikrotik Mikrotik VPLS Control Word 4-byte Control Word (CW) is used for packet fragmentation and reassembly inside VPLS tunnel Optional CW is added between PW label and packet payload CW can be turned off for compatibility with other vendors (some Cisco BGP based VPLS) Mikrotik Mikrotik BGP Based VPLS BGP VPLS functionality Autodiscovery no need to configure each VPLS router Signaling labels for VPLS tunnels distributed in BGP updates. No need for targeted LDP sessions No scalability issues No significant advantages over LDP in case of full mesh BGP. BGP Based VPLS configuration Configure BGP instance Enable l2vpn in BGP peer's address-families to use BGP multi protocol capability Use loopback address as BGP peers address by specifying update-source, in order for penultimate hop popping to work properly. /routing bgp peer add remote address= remote-as=100 update-source=lo address-families=l2vpn Mikrotik Mikrotik Internetworking 21

22 BGP Based VPLS configuration Configure VPN bridge Configure BGP signaled VPLS interface /interface vpls bgp-vpls add bridge=<bridge> bridge-horizon=1 site-id=1 \ route-distinguisher=1:1 import-route-targer=1:1 \ export-route-target=1:1 Dynamic VPLS tunnel gets created and added to bridge ports route-distinguisher value that gets attached to VPLS NLRI to distinguish advertisements, value should be unique for each VPLS site-id unique setting among members of particular VPLS Mikrotik BGP based VPLS Lab Choose which one of routers will be Route reflector (for example ) Set BGP peering only between RR Replace all statically created VPLS with BGP VPLS Set import/export route targets the same as route distinguisher. Mikrotik IP Routing Limitation Traffic Engineering After two IP traffic flows for the same destination are merged, it is impossible to split them and reroute over different paths Overloaded link from Router C to Router E A C E F B D 40Mbps traffic from A to F 40Mbps traffic from B to F Mikrotik Mikrotik Traffic Engineering TE solves the problem Can be used to steer traffic to less utilized links E A C F D Traffic Engineering Expands the capabilities of L2 ATM and Frame relay networks Constraint based routing - path for the traffic flow is shortest path that meets resource requirements (constraints) Eliminates the need of overplayed L2 mesh. B TE Tunnel1 50Mbps TE Tunnel2 50Mbps Mikrotik Mikrotik Internetworking 22

23 How it works TE establishes/maintains the tunnel using RSVP (Resource Reservation Protocol) Tunnel path at any point is determined based on network resources and tunnel requirements Available resources are flooded via OSPF Tunnel paths are calculated at the tunnel head based on a fit between required and available resources (constraint-based routing) RSVP TE tunnels are unidirectional Mikrotik TE Tunnel Path Options Tunnel path is routed based on routing table Tunnel path: use-cspf=no and empty hops Statically configured explicit path Tunnel path: use-cspf=no hops=<explicit hop config> Constrained Shortest Path First (CSPF) head end router calculates path to tail end using knowledge of network state. Needs assistance form IGP. Tunnel path: use-cspf=yes, empty hops or explicitly configured hops Mikrotik How it works Tunnel head end appears as interface Auto TE works within the range of one area Traffic can be forwarded automatically to TE if Remote endpoint of pseudowire is the same as TE endpoint BGP nexthop is tunnel endpoint ( can be turned off by setting use-te-nexthop=no ) TE configuration Set OSPF to use TE and configure TE on all interfaces participating in TE tunnel /routing ospf set mpls-te-area=backbone mpls-te-router-id=loopback /mpls traffic-eng interface add interface=ether1 bandwidth=50mbps Configure TE tunnel itself /mpls traffic-eng tunnel-path add use-cspf=no name=rt /interface traffic-eng add bandwidth=10mbps primary-path=rt from-address= to-address= Mikrotik Mikrotik TE configuration OSPF Result (should have opaque LSAs) TE tunnel monitoring [admin@] /interface traffic-eng> monitor 0 tunnel-id: 3 primary-path-state: established primary-path: rt secondary-path-state: not-necessary active-path: rt active-lspid: 1 active-label: 124 recorded-route: [124], [0] reserved-bandwidth: 10.0Mbps [admin@] /interface vpls> monitor 0 remote-label: 114 local-label: 113 remote-status: transport: traffic-eng1 transport-nexthop: imposed-labels: 124,114 Mikrotik TE configuration TE tunnel path and reservation state [admin@] /mpls traffic-eng path-state> print Flags: L - locally-originated, E - egress, F - forwarding, P - sendingpath, R - sending-resv # SRC DST BANDWIDTH OUT.. OUT-NEXT-HOP 0 LFP : :3 10.0Mbps _ [admin@] /mpls traffic-eng resv-state> print Flags: E - egress, A - active, N - non-output, S - shared # SRC DST BANDWIDTH LABEL INT... 0 AS : :3 10.0Mbps 124 _ [admin@] /mpls traffic-eng interface> print Flags: X - disabled, I - invalid # INTERFA BANDWIDTH TE-METRIC REMAINING-BW 0 _ 50Mbps Mbps 1 _ 50Mbps Mbps Mikrotik Internetworking 23

24 Static Path Static path is established by setting strict or loose hops: Strict - defines that there must not be any other hops between previous hop and "strict" hop (fully specified path) Loose - there are acceptable other hops between previous hop and defined hop (not fully specified path). /mpls traffic-eng tunnel-path add use-cspf=no \ hops= :strict, :loose, :strict A C B :loose Static path example E F D :strict, :strict, :loose :strict, :strict, :strict, :strict Mikrotik Mikrotik TE Lab I VPLS tunnel X group number TE Lab I Set up TE tunnels so that VPLS tunnels uses following switching paths: VPLS: <->; TE Path: -- primary VPLS: <->: TE Path: -- primary Experiment with different TE path types. AP SSID= band=2.4ghz x0.1/24 Site 1 AP RR x0.3/24 VPN network: Site x0.0/24 Lo: x.1 Lo: x.2 Lo: x.3 Site x0.2/24 Lo: x.4 Site 4 Mikrotik Mikrotik x0.4/ Secondary TE Tunnel Path TE does not switch paths automatically to secondary, tunnel must be reoptimized: Manually ( optimize command); Automatically (at configured reoptimize-interval ) TE tries to switch back to primary every minute (can be changed by primary-retry-interval ) Switching paths may take some time, depends on: OSPF timeouts, routing table updates, TE timeout settings. Auto Bandwidth By default TE tunnels do not apply rate limitations, bandwidth settings are only for reservation accounting To make tunnels more flexible two features were added: bandwidth-limit hard rate limit allowed to enter the tunnel, limit is percent of tunnel bandwidth. Auto bandwidth adjustment measures average rate during auto-bandwidth-avg-interval, tunnel keeps highest avg rate seen during auto-bandwidth-updateinterval. When update interval expires, tunnel chooses new highest rate from auto-bandwidth-range. Both options can be used in combination. Mikrotik Mikrotik Internetworking 24

25 TE Lab II VPLS tunnel X group number TE Lab II Set up TE tunnels so that VPLS tunnels uses following primary and backup switching paths: VPLS: <->; TE Path: -- primary, - - backup VPLS: <->: TE Path: -- primary, - - backup Set up TE tunnel bandwidth limit (automatic and static) and test limitation with bandwidth test. AP SSID= band=2.4ghz x0.1/24 Site 1 AP RR x0.3/24 VPN network: Site x0.0/24 Lo: x.1 Lo: x.2 Lo: x.3 Site x0.2/24 Lo: x.4 Site 4 Mikrotik Mikrotik x0.4/ Overall Summary MPLS improves performance Very easy to enable over existing core configuration Very easy to migrate from EoIP to VPLS New possibilities for ISPs to offer new services Mikrotik Internetworking 25